The release of ISO 9001:2008, like its predecessors, has been followed by a growing chorus of marketers attempting to sell training courses, webinars and books on the “new” standard, despite — and in direct contradiction with — one single fact:
ISO 9001:2008 includes no new requirements, and therefore compliance to the new standard is automatic for any previously certified ISO 9001:2000 client who maintains their normal surveillance audit schedule with their accredited registrar. The authors of the standard, ISO Technical Committee 176 (“TC 176”) went out of their way to label the 2008 version an “amendment” rather than a “revision” in order to emphasize this point. The 2008 version includes only language clarifications, and not a single new requirement.
In short, companies that are already ISO 9001:2000 need do nothing, except for ensuring that they maintain their normal surveillance audit schedules with their registrars.
Facts Don’t Stop Marketers
The fact that IS0 9001:2000 certified companies need do nothing has not stopped marketers of ISO 9001 consulting and registration from using misleading language in their marketing. In some cases, the errors are born from a lack of understanding that the transition to the new standard is largely automatic (see caveats below), but in other cases it appears to be driven by nothing more than greed.
ISO 9001 training provider Omnex appears to be one of the worst offenders. In their marketing of their “ISO 9001:2008 Auditor Transition” webinars, presented by company CTO Chad Kymal, the company indicates that its training course provides “the most comprehensive review of RABQSA, IRCA, key registrars, and ISO 9001 Technical Committee TC 176 requirements.” The course is targeted for “all first, second and thirty party auditors”, and mass emails have been sent to ISO 9001 end user organizations for the purposes of marketing the training to internal auditors within an ISO 9001 certified company.
(The blurb includes an ironic typo; see the screencap at right.)
The problem here is that there are no requirements for auditors mandated by “key registrars” or TC 176. Registrars cannot “mandate” any requirements for auditors other than their own, and certainly cannot mandate any for internal auditors of a client company. Only the standard itself — ISO 9001 — has requirements for internal auditors, and the only requirement in the standard is that auditors “shall not audit their own work.”
As for TC 176, the committee only drafts the ISO 9000 family of standards, and does not have any role in mandating anything for auditors, whether those working for client companies or registrars. ISO (and thus its technical committees) have been very clear on steering clear of anything having to do with certification to its standards. This point is reiterated every year in the release of ISO’s annual “ISO Survey” which presents data on the number of ISO 9001 certificates worldwide.
Oxebridge pooled the comments of a number of major ANAB-accredited registrars, including NSF-ISR and NQA, and all those who replied concurred with Oxebridge that there are no special requirements for auditors, whether working for a registrar or ISO 9001 end user organization, prompted by the 2008 revision.
This fact is further corroborated by ANAB, the organization responsible for accreditation and oversight of registrars. In it’s “Heads Up” document # 155, ANAB specifically states:
Because there are no new requirements in ISO 9001:2008, ANAB does not expect a CB to provide specific training to its clients or auditors.
Since May of 2009, Oxebridge has asked representatives of Omnex to provide evidence of a single TC 176 or “key registrar” requirement for internal auditors which would justify this statement, and to date has received none.
Omnex is joined by a number of other training organizations attempting to sell ISO 9001:2008 training sessions using claims that the “new” standard includes additional requirements, even though ISO, ANAB and every major registrar has been clear to state that they understand the standard does not contain any new requirements.
Registrar Confusion
Confusion remains amongst registrars, however. In a recent mass e-mail newsletter to clients and other potential ISO 9001 end users, one registrar stated, “If you have not upgraded your certificate to ISO9001:2008 by this expiration date, a Stage 1 and Stage 2 audit will be required.” Oxebridge contacted the registrar — whose name Oxebridge has elected to redact, since the error appears to be an honest one — who defended the language by stating:
Even though the [ANAB] Heads Up states there is ‘no change in the requirements’ the [registrar] is required to verify the clients system conforms during an audit. If this process does not occur prior to November 15, 2010, when ISO 9001:2000 becomes obsolete, then the client is required to complete an initial Stage 1 and Stage 2 audit to become certified to ISO 9001:2008.
Oxebridge challenged the point that the client — to whom the registrar was sending their materials — must take some action in order to maintain certification under ISO 9001:2008, citing the fact that the registrar indicated “if you have not upgraded….” In this case, there seems to be a misunderstanding on the part of the particular registrar in what is required by the registrar, and what is required by their clients. But marketing to client companies and indicating that “you” must “upgrade” is inaccurate.
Oxebridge wrote to ANAB’s Randy Daugherty, who confirmed Oxebridge’s interpretation (emphasis Oxebridge’s):
The CB must migrate its clients to ISO 9001:2008 by the deadline of 15 November 2010. Basically all that is required is that a CB use ISO 9001:2008 when conducting a surveillance or re-certification audit, and then re-issuing a certification referencing ISO 9001:2008. Considering that there was a two migration period, and considering that CBs audit each client at least once a year, all clients should be migrated without any fuss.
More Voices in the Chorus
Not unsurprisingly, even the American Society for Quality — the organization which is supposed to represent the quality profession and help its members — jumped on the exploitation bandwagon with its own training courses. For its hyperbolically-named “ISO 9001:2008 Transition Training: Be Prepared, Know the Changes” course, ASQ ignores the core fact — there are no new requirements in the 2008 standard — and instead makes the following erroneous claims:
The course clearly contrasts the differences between ISO 9001:2000 & ISO 9001:2008, and interprets the concepts and terminology of the new standard….This course gives you the tools for auditing and upgrading a quality management system to ISO 9001:2008. Requirements are referenced as product/service requirements and product and service examples are included in the discussion, making this appropriate for both the service and manufacturing sectors. Use this course for internal ISO 9001:2008 qualification of auditors and organization personnel.
Again, the marketing language uses terminology like “upgrading” to the new version, and even provides a “Transition Checklist”, ignoring the fact that a checklist is not required for something that occurs silently and automatically. And, again, there is the inference that the 2008 version includes new requirements, when it does not.
The Indian office of BSI – the world’s largest registrar, is the most egregious in its misrepresentation. On the marketing page for its transition course, the Indian office simply lies, stating “it is imperative for organizations… to upgrade” and that the 2008 changes are “significant.”
Contrast this to BSI America’s site language which states “the changes to the standard are considered to be small and fairly insignificant.”
Both BSI India and BSI America are accredited by ANAB.
The Only Possible Caveat
ANAB’s Mr. Daugherty did add one caveat regarding the “do nothing” idea:
However, one thing I have learned in life is that everything does not proceed as planned. I would think it a very rare occurrence that a client is not yet migrated…but would not be completely surprised to learn that something went wrong.
Therein lies the only known condition under which a company would not be migrated to ISO 9001:2008 automatically — if they failed to continue their regularly scheduled audits before the deadline. However, since it is the registrar’s responsibility to ensure that surveillance audits occur within the guidelines required by accreditation rules, the client need merely ensure that it does not impede the registrar’s surveillance auditing, and allow the registrar to conduct their audits along the normal surveillance schedule.
So to fail to be automatically transitioned to ISO 9001:2008, a company would have to let their surveillance audits lapse to such a degree that they did not undergo an audit in time for the November 15, 2010 deadline. To do so would require a company to intentionally and egregiously ignore the efforts made by its registrar to schedule audits.
Relax, and Don’t Buy Anything!
Language such as this and Omnex’s lead ISO 9001 end users to wrongly believe that some action is required on their part to maintain certification through the transition from ISO 9001:2000 to 2008.
But, remember, ignore the hype. Don’t buy anything! So long as you maintain your surveillance audits in good standing, the registrar is the only one who needs to do anything — you will automatically be transitioned to ISO 9001:2008.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
